OIDC DID-Auth Profile

From IIW

OIDC DID-Auth Profile


Day/Session:Wednesday 3K

Convener:Oliver Terbu

Notes-taker(s): Oliver Terbu


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


The goal was to find a way to use OIDC request and response messages to support SSI wallets without having the need to have a central OpenID Connect Provider. Another approach would be to get redirected to your OP and do the authentication step using a SSI Wallet. In this case, you would have to rely on a central OP which in this case is not desired.


Some takeaways:

- DID Auth was more understood as being a concept rather than being one particular protocol.

- Defining a OIDC DID Auth profile was considered to be a good idea. 


OIDC profile:

- This will be used to convey the DID Auth request and response messages using OIDC

- Using OIDC makes it possible to leverage existing libraries and supporting OIDC clients by introducing minor changes.

- How to solve discovery? —> Self-issued OP

- Distributed claims could help to support Verifiable Credentials from different Issuers

- Using the nonce as a challenge in DID Auth was considered as a good idea

- Using a JWT header from the id token to kick-off DID Resolution -> jwks URL could be a DID

- iss field will be encode the iss inside the id token


Furthermore, an IETF profile for JWT with native support for DID was also considered. Allow iss, aud, and sub to be a DID.


Overall, the session was very productive and I’m glad so many people participated in the session.